Setting up cloud access rights
To grant a user access to all the cloud resources, assign the user a role for this cloud.
Assign a role for the cloud
-
Open the Users and roles page for the selected cloud. If necessary, switch to another cloud.
-
- Select a user to assign a role to.
- Click .
- Select Configure access.
- In the section, click Roles for the cloud
. - Select a role from the list.
-
See the description of the command to assign a role for a cloud:
yc resource-manager cloud add-access-binding --help
-
Get a list of available clouds:
yc resource-manager cloud list
Result:
+----------------------+----------+ | ID | NAME | +----------------------+----------+ | b1gg8sgd16g7qca5onqs | my-cloud | +----------------------+----------+
-
Get a list of available roles:
yc iam role list
Result:
+--------------------------------+-------------+ | ID | DESCRIPTION | +--------------------------------+-------------+ | admin | | | compute.images.user | | | editor | | | ... | | +--------------------------------+-------------+
-
Find out the user's ID from the login or email address. To assign a role to a service account or system group instead of a user, see the examples below.
yc iam user-account get test-user
Result:
id: gfei8n54hmfhuk5nogse yandex_passport_user_account: login: test-user default_email: test-user@yandex.ru
-
Assign the
editor
role for themy-cloud
cloud to a user namedtest-user
. In the subject, specify theuserAccount
type and user ID:yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject userAccount:<user ID>
Use the updateAccessBindings method for the Cloud resource. You will need the cloud ID and the ID of the user who is assigned the role for the cloud.
-
Find out the cloud ID using the list:
curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds
Result:
{ "clouds": [ { "id": "b1gg8sgd16g7qca5onqs", "createdAt": "2018-09-23T12:14:45Z", "name": "cloud-b1gg8sgd16g7qc" } ] }
-
Find out the user ID from the login using the getByLogin method:
curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user
Result:
{ "id": "gfei8n54hmfhuk5nogse", "yandexPassportUserAccount": { "login": "test-user", "defaultEmail": "test-user@yandex.ru" } }
-
Assign the user the
editor
role for themy-cloud
cloud. Set theaction
property toADD
and specify theuserAccount
type and user ID in thesubject
property:curl -X POST \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer <IAM-TOKEN>" \ -d '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<user ID>", "type": "userAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the properties of the cloud access rights in a configuration file:
cloud_id
: cloud ID. You can get a list of available clouds using the CLI command:yc resource-manager cloud list
.role
: Role to assign. You can get a list of roles using the CLI command:yc iam role list
. In oneyandex_resourcemanager_cloud_iam_binding
resource, you can assign only one role.members
section: List of users to assign the role to. Each entry may have one of the following values:userAccount:<user ID>
: User ID.serviceAccount:<ID of service account>
: ID of the service account.federatedUser:<federated user ID>
: ID of the federated user.
data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_binding" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" members = [ "userAccount:<user ID>", ] }
For more detailed information on the parameters of the
yandex_resourcemanager_cloud_iam_binding
resource in Terraform, see the provider documentation. -
In the command line, go to the directory where you created the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes are made at this step. If there are errors in the configuration, Terraform points them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.After that access rights are granted for the cloud.
Examples
Assign multiple roles
The add-access-binding
command allows you to add only one role. You can assign multiple roles using the set-access-binding
command.
Alert
The set-access-binding
command completely rewrites the access rights to the resource. All current resource roles will be deleted.
-
Make sure the resource doesn't have any roles that you don't want to lose:
yc resource-manager cloud list-access-binding my-cloud
-
For example, assign a role to multiple users:
yc resource-manager cloud set-access-bindings my-cloud \ --access-binding role=editor,subject=userAccount:<first user ID> --access-binding role=viewer,subject=userAccount:<second user ID>
Assign the editor
role to one user and the viewer
role to another user:
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "<first user ID>",
"type": "userAccount"
}
}
},{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "<second user ID>",
"type": "userAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings
You can also assign roles using the setAccessBindings.
Alert
The setAccessBindings
method completely rewrites the access rights to the resource! All current resource roles will be deleted.
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindings": [{
"roleId": "editor",
"subject": { "id": "<first user ID>", "type": "userAccount" }
},{
"roleId": "viewer",
"subject": { "id": "<second user ID>", "type": "userAccount" }
}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:setAccessBindings
-
Describe the properties of the cloud access rights in a configuration file. Assign the
editor
role to one user and theviewer
role to another user:data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_binding" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" members = [ "userAccount:<first user ID>", ] } resource "yandex_resourcemanager_cloud_iam_binding" "viewer" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "viewer" members = [ "userAccount:<second user ID>", ] }
-
In the command line, go to the directory where you created the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes are made at this step. If there are errors in the configuration, Terraform points them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.After that access rights are granted for the cloud.
Cloud access for service accounts
A service account can only be assigned roles for the cloud that it belongs to.
Allow the test-sa
service account to manage the my-cloud
cloud and its resources:
-
Find out the ID of the
test-sa
service account that you want to assign the role to. To do this, get a list of available service accounts:yc iam service-account list
Result:
+----------------------+----------+------------------+ | ID | NAME | DESCRIPTION | +----------------------+----------+------------------+ | ajebqtreob2dpblin8pe | test-sa | test-description | +----------------------+----------+------------------+
-
Assign the
editor
role to thetest-sa
service account by specifying its ID. In the subject type, specifyserviceAccount
:yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject serviceAccount:<service account ID>
-
Find out the ID of the
test-sa
service account that you want to assign the role to. To do this, get a list of available service accounts:curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yysaplct532
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2dpblin8pe", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-18T13:42:40Z", "name": "test-sa", "description": "test-description" } ] }
-
Assign the
editor
role for themy-cloud
cloud to thetest-sa
service account. In thesubject
property, specify theserviceAccount
type and thetest-sa
ID. In the request URL, specify themy-cloud
ID:
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "<service account ID>",
"type": "serviceAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings
-
Assign the
editor
role to a service account.data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_binding" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" members = [ "serviceAccount:<service account ID>", ] }
-
In the command line, go to the directory where you created the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes are made at this step. If there are errors in the configuration, Terraform points them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.After that access rights are granted for the cloud.
Access to a resource for all users
You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers
or allUsers
.
You can assign any role to the system group, except resource-manager.clouds.owner
and resource-manager.clouds.member
.
Alert
Do not assign a system group the editor
or admin
role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex Cloud at your expense.
For instance, allow any authenticated user to view information about the my-cloud
cloud and its resources:
Assign the viewer
role to the allAuthenticatedUsers
system group. In the subject type, specify system
:
yc resource-manager cloud add-access-binding my-cloud \
--role viewer \
--subject system:allAuthenticatedUsers
Assign the viewer
role to the allAuthenticatedUsers
system group. In the subject
property, specify the system
type:
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "allAuthenticatedUsers",
"type": "system"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings
-
Assign the
viewer
role to theallAuthenticatedUsers
system group.data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_binding" "viewer" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "viewer" members = [ "system:allAuthenticatedUsers", ] }
-
In the command line, go to the directory where you created the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes are made at this step. If there are errors in the configuration, Terraform points them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.After that access rights are granted for the cloud.